To receive services from a network, an unknown user equipment (UE) needs to register with the network or otherwise become known to the network. This is accomplished using a network attach procedure. As part of the attach procedure, the UE sends its international mobile subscriber identity (IMSI) number. The IMSI is a unique identification that the UE uses on all networks it communicates with (or which communicate on its behalf). The UE sends the IMSI with the attach request that is received at a mobility management entity (MME).
In an attempt to protect the IMSI from eavesdroppers and tracking, a temporary mobile subscriber identity (TMSI) can be used after initially authenticating the UE. The TMSI is local to a specific area and, therefore, must be reassigned in each area. Further, the TMSI is first assigned after the UE provides the IMSI for initial authentication (and so that the assignment of the TMSI can be associated with the UE's real identity). Sometimes a globally unique temporary UE identity (GUTI) is provided in the initial attach request instead of IMSI. Where the UE sends a GUTI instead its IMSI, the MME requests identification from other network elements that may have interacted with the UE previously. If the UE is known to other network elements, those other network elements respond with the IMSI. If the UE is not known, the MME then asks the UE to provide its IMSI for identification that is later used for update procedures with a location register.
Under any of the approaches above, the IMSI is still vulnerable. The IMSI is either included in the initial attach request or must be provided later in order to be authenticated. Thus, the IMSI may be monitored passively via the over-the-air traffic and used to determine a user identity. Oftentimes the IMSI in the attach request is in plaintext, rendering the IMSI even more vulnerable to monitoring. Even in scenarios where the UE does not send the IMSI, the MME still obtains the actual IMSI from other network elements, and several different network elements may store the actual IMSI (e.g., the MME, a serving gateway (S-GW), and/or a PDN gateway (P-GW)). This leaves the IMSI vulnerable and dependent on the trustworthiness of the serving network.